Extract Information from Ticket.

Michael B Allen mba2000 at ioplex.com
Mon Mar 5 11:34:03 EST 2007


On Mon, 5 Mar 2007 10:18:15 +0200
"Bruce Stewart" <BruceS at nsfas.org.za> wrote:

> > The
> > stock jcifs distribution only supports NTLM SSO (but that 
> > actually works
> > quite well assuming you don't need delegation).
> 
> FWIW...the spnego classes accept NTLM aswell as Kerberos tokens - which was  a problem for us - we only wanted Kerberos tokens (because we wanted delegation).  I created our own bare bones version of the jcifs.spnego.Authentication class - removed the jcifs dependencies (i.e. NTLM code), "client" code and reflection based GSS-API code.  Instead of returning a Principal with authentication.getPrincipal(), we return a javax.security.auth.Subject (which contains the KerberosPrincipal and KerberosTicket) with getSubject().  That allows us to use Subject.doAs(subject, ...) etc.
> 
> Using the jcifs-ext code as a guide it was pretty easy for us to create exactly what we needed.

Yes, the peculiararities of the jcifs-ext SPNEGO classes using reflextion
has made it difficult for me to accept it into the stock distro. And
thus jcifs-krb5 (which uses those classes) is a separate package.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/



More information about the Kerberos mailing list